I started a Hydra service on NixOS. I succesfully added a project that checks out a private git repository by adding the ssh key to the hydra user’s .ssh folder, but when that actual jobs run they fail with:
<3>exporting <GIT_URL> (rev <COMMIT>) into <STORE_PKG_PATH>
<3>Initialized empty Git repository in <STORE_PKG_PATH>/.git/
<3>No user exists for uid 1000
<3>fatal: Could not read from remote repository.
<3>
<3>Please make sure you have the correct access rights
<3>and the repository exists.
<3>No user exists for uid 1000
<3>fatal: Could not read from remote repository.
<3>
<3>Please make sure you have the correct access rights
<3>and the repository exists.
<3>Unable to checkout <COMMIT> from <GIT_URL>
<3>builder for <NIX_STORE_PATH> failed with exit code 1
even though I added the key to all 3 users hydra, hydra-queue-runner and root and tested with all 3 of them that they are indeed able to clone the repo.
The job expressions reference the git repository by calling fetchgit.
I now came across this thread from 2017.
Even though in it they’re using fetchgitPrivate, it points out possible causes for my issue.
Most likely the builds being run by nixbldX users or one of the restrictions of sandboxed mode.
The resolution of the thread was that you basically want to pass the private repo sources as inputs to your build and let hydra fetch them for you.
This doesn’t feel too nice as I don’t see the reason why private repos should be handled differently from publicly accessible ones so if anyone has a more up to date solution feel free to share any ideas.
I recommend using builtins.fetchGit. It will use the SSH configuration of the user invoking the build. In a project of mine I am now converting all uses of nixpkgs.fetchgitPrivate to builtins.fetchGit.
It is not clear to me though why builtins.fetchGit is restricted while all other methods get to access repos without any restrictions (just immagine listing the urls used by nixpkgs).
The difference is between whether the fetching is done by the evaluator or as a build step. builtins.fetchGit and builtins.fetchTarball are typically executed during evaluation because their purpose is to fetch Nix expressions. On the other hand, nixpkgs.fetchurl and nixpkgs.fetchgit are typically executed as a build.